CMMC rule change is through the interagency review process
The Defense Department‘s new cybersecurity standard for contractors has completed the interagency review process, a DOD spokeswoman told FedScoop, and it will head into an open comment period once an interim rule is published.
The Cybersecurity Maturity Model Certification will soon be an official rule in the Defense Federal Acquisition Regulations (DFARs), meaning that contractors could see CMMC requirements in contracts soon thereafter. But before the rule is finalized, the public will have a period to provide input on one of the largest-ever changes to defense contracting.
The new standard includes five-tiers of network security controls that will need to be checked by third-party assessors. The first cadre of assessors are currently being trained by the CMMC Accreditation Body. Getting a CMMC assessment will be a new cost to all contractors in the defense industrial base, except those that provide commercial-off-the-shelf items. While the model itself is based on the current National Institute of Standards and Technology-developed standards for contractors, some controls differ, officials have said.
“The rule has finished interagency review, and we are still expecting the rule to come out by the end of the calendar year,” a DOD spokeswoman told FedScoop in an email.
The DFARS rule will be published as an interim rule with a delayed effective date. The interim issuing of the rule change will allow for time to consider “all public comments” as the Pentagon develops the final rule. Initially, the plan was to issue a notice for rule making in the spring, but the coronavirus pandemic forced the government to delay its process for scheduling a public hearing. Of late, Katie Arrington, the DOD CISO for acquisition and sustainment and lead CMMC official, has said the new rule-making process with an expected end-of-year publishing date is on track.
“We are still tracking right along for the DFARs rule change,” Arrington said in August. “That has not deviated.”
Some parts of the defense industry have been vocal about needing waivers or other accommodations. Universities that conduct basic research for the DOD have written letters asking “that the DOD should exclude fundamental research from the CMMC program.”
So far, Arrington has said that the rule will cover all contractors and the need remains to “buy down the risk” and not allow for exceptions.